summaryrefslogtreecommitdiffstats
path: root/roles/ands_openshift
diff options
context:
space:
mode:
Diffstat (limited to 'roles/ands_openshift')
-rw-r--r--roles/ands_openshift/tasks/security_resources.yml36
-rw-r--r--roles/ands_openshift/tasks/storage_resources.yml7
-rw-r--r--roles/ands_openshift/tasks/users_resources.yml8
3 files changed, 27 insertions, 24 deletions
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml
index 5644723..5b80f1e 100644
--- a/roles/ands_openshift/tasks/security_resources.yml
+++ b/roles/ands_openshift/tasks/security_resources.yml
@@ -6,49 +6,41 @@
- name: Patch group range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ prj_item }}"
- resource: "ns/{{ prj_item }}"
- patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}'
+ project: "{{ item.key }}"
+ resource: "ns/{{ item.key }}"
+ patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}'
patch_path: "{{ ands_openshift_patch_path }}"
- with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}"
- loop_control:
- loop_var: prj_item
+ with_dict: "{{ ands_openshift_gid_ranges | default({}) }}"
- name: Patch uid range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ prj_item }}"
- resource: "ns/{{ prj_item }}"
- patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}'
+ project: "{{ item.key }}"
+ resource: "ns/{{ item.key }}"
+ patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}'
patch_path: "{{ ands_openshift_patch_path }}"
- with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}"
- loop_control:
- loop_var: prj_item
+ with_dict: "{{ ands_openshift_uid_ranges | default({}) }}"
- name: Restrict supplementalGroups
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ prj_item }}"
+ project: "{{ item.key }}"
resource: "scc/restricted"
modes: "{{ ands_openshift_gid_mode | default({}) }}"
- mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+ mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}"
patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
- with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
- loop_control:
- loop_var: prj_item
+ with_dict: "{{ ands_openshift_projects | default({}) }}"
- name: Configure runAsUser
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ prj_item }}"
+ project: "{{ item.key }}"
resource: "scc/restricted"
modes: "{{ ands_openshift_uid_mode | default({}) }}"
- mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+ mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}"
patch: '{"runAsUser":{"type":"{{mode}}"}}'
patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
- with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
- loop_control:
- loop_var: prj_item
+ with_dict: "{{ ands_openshift_projects | default({}) }}"
diff --git a/roles/ands_openshift/tasks/storage_resources.yml b/roles/ands_openshift/tasks/storage_resources.yml
index 5adf69e..c83c677 100644
--- a/roles/ands_openshift/tasks/storage_resources.yml
+++ b/roles/ands_openshift/tasks/storage_resources.yml
@@ -13,7 +13,7 @@
template_path: "{{ storage_template_path }}"
project: "{{ prj_item }}"
recreate: "{{ result | changed | ternary (true, false) }}"
- with_items: "{{ ands_openshift_projects.keys() | union(['default']) }}"
+ with_items: "{{ ands_openshift_projects.keys() }}"
loop_control:
loop_var: prj_item
@@ -28,6 +28,9 @@
template_path: "{{ storage_template_path }}"
project: "{{ prj_item }}"
recreate: "{{ result | changed | ternary (true, false) }}"
- with_items: "{{ ands_openshift_projects.keys() | union(['default']) }}"
+ with_items: "{{ ands_openshift_projects.keys() }}"
loop_control:
loop_var: prj_item
+
+
+ \ No newline at end of file
diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml
index 5bc748c..722e1eb 100644
--- a/roles/ands_openshift/tasks/users_resources.yml
+++ b/roles/ands_openshift/tasks/users_resources.yml
@@ -19,6 +19,14 @@
command: "oc adm new-project --description '{{ ands_openshift_projects[item] }}' {{ item }}"
with_items: "{{ new_projects | default([]) }}"
+- name: Allow projects to pull images from KaaS imagestreams
+ command: "oc policy add-role-to-group system:image-puller system:serviceaccounts:{{ prj_item }} --namespace=kaas"
+ with_items: "{{ ands_openshift_projects.keys() }}"
+ when:
+ prj_item != "kaas"
+ loop_control:
+ loop_var: prj_item
+
- name: Configure per project roles
command: "oc adm policy add-role-to-user -n {{ item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}"
with_dict: "{{ ands_openshift_roles }}"